kritis-validation-hook is a key component for verifying image signatures to guarantee that only trusted containers are deployed. You can use signature verification to ensure that only images signed by trusted authorities are deployed, which lowers the risks of malicious code attacks. This topic describes how kritis-validation-hook works with step-by-step examples.
Based on the open-source project kritis, kritis-validation-hook is integrated with Container Registry (ACR) to support signature verification of images that are signed by using Key Management Service (KMS). kritis-validation-hook works with Security Center, KMS, and ACR to implement a fully automated signature signing and verification process, helping you build a more secure software supply chain.
- The address of the image signed by using KMS is kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45.
- The KMS public key is stored in file publickey.txt.
- The KMS key ID is 4a2ef103-5aa3-4220-89ee-kms-key-id.
- The Container Registry namespace that corresponds to the default namespace is 13579-namespace.
- Run the following code to create an AttestationAuthority object as a trusted authority.
The following code configures the preceding KMS public key information:
$ cat <<EOF > AttestationAuthority.yaml apiVersion: kritis.grafeas.io/v1beta1 kind: AttestationAuthority metadata: name: 13579-namespace spec: noteReference: namespaces/13579-namespace publicKeyData: $(cat publickey.txt | base64 | tr -d '\n') publicKeyId: 4a2ef103-5aa3-4220-89ee-kms-key-id EOF $ kubectl apply -f AttestationAuthority.yaml
- Run the following code to create a GenericAttestationPolicy object to declare the attestation policy and which trusted authority is used to verify
$ cat <<EOF > GenericAttestationPolicy.yaml apiVersion: kritis.grafeas.io/v1beta1 kind: GenericAttestationPolicy metadata: name: demo-gap spec: attestationAuthorityNames: - 13579-namespace EOF $ kubectl apply -f GenericAttestationPolicy.yaml
- Run the following commands to test the signature verification function and verify
that images not signed by the trusted authority are not deployed.
$ kubectl create deployment test-denied --image=alpine:3.11 Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine:3.11 is not attested $ kubectl create deployment test-denied --image=kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine:3.11 Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine:3.11 is not attested
- Run the following command to test the signature verification function and verify that
the image signed by the trusted authority has been deployed.
$ kubectl create deployment test-allow --image=kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 deployment.apps/test-allow created
- Immutable image tags. With immutable tags, you do not need to specify the image digest during signature verification. This helps improve user experience.
- Image vulnerability detection. This feature prevents you from deploying images that are exposed to vulnerabilities of certain severity levels, which further lowers security risks.